diff options
| author | Campus <campus@ntop.org> | 2016-11-20 13:07:00 +0100 |
|---|---|---|
| committer | Campus <campus@ntop.org> | 2016-11-20 13:07:00 +0100 |
| commit | 9abbef7e05ba8196804962e63e5119cf75436c8b (patch) | |
| tree | d4bdf1a45b1b09204216a3aa611b33523839ee44 | |
| parent | 1fbe25f91e87282c22e317e5f7b4c9cdccf2e8ad (diff) | |
added iqiyi media service and updated ppsetream protocol - added 1kxun media service
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/Makefile.am | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 23 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 150 | ||||
| -rw-r--r-- | src/lib/protocols/kxun.c | 98 | ||||
| -rw-r--r-- | src/lib/protocols/ppstream.c | 248 | ||||
| -rw-r--r-- | tests/pcap/1kxun.pcap | bin | 0 -> 678592 bytes | |||
| -rw-r--r-- | tests/pcap/pps.pcap | bin | 0 -> 2332728 bytes | |||
| -rw-r--r-- | tests/result/1kxun.pcap.out | 147 | ||||
| -rw-r--r-- | tests/result/http_ipv6.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/mpeg.pcap.out | 2 | ||||
| -rw-r--r-- | tests/result/pps.pcap.out | 117 |
15 files changed, 698 insertions, 113 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index dc391989d..7c1ed4a99 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -265,9 +265,11 @@ #define NDPI_SERVICE_IFLIX 215 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ #define NDPI_SERVICE_GITHUB 216 #define NDPI_PROTOCOL_BJNP 217 +#define NDPI_SERVICE_1KXUN 218 +#define NDPI_SERVICE_IQIYI 219 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_BJNP +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_IQIYI #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index ae4861b07..16ffb930b 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -193,6 +193,7 @@ void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndp void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_kxun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -333,4 +334,5 @@ void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_kxun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 414c04abb..094558548 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -572,6 +572,9 @@ struct ndpi_flow_tcp_struct { u_int8_t prev_zmq_pkt_len; u_char prev_zmq_pkt[10]; #endif +#ifdef NDPI_PROTOCOL_PPSTREAM + u_int32_t ppstream_stage:3; +#endif } #ifndef WIN32 __attribute__ ((__packed__)) diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 26d60029c..e47cb9934 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -66,6 +66,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/kakaotalk_voice.c \ protocols/kerberos.c \ protocols/kontiki.c \ + protocols/kxun.c \ protocols/ldap.c \ protocols/lotus_notes.c \ protocols/mail_imap.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 67fbe9a8c..9d0d54e1a 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7517,14 +7517,21 @@ ndpi_protocol_match host_match[] = { /* Detected "slack-assets2.s3-us-west-2.amazonaws.com.". Omitted "*amazonaws.com" CDN, but no generic pattern to use on first part */ { "slack-assets2.s3-", "Slack", NDPI_SERVICE_SLACK, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { "github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - /* https://github.com/blog/1452-new-github-pages-domain-github-io */ - { "github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - /* https://developer.github.com/changes/2014-04-25-user-content-security/ */ - { "githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + + { ".iqiyi.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".qiyi.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".71.am", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".qiyipic.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".pps.tv", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".1kxun.", "1kxun", NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { "tcad.wedolook.com", "1kxun", NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 108450eec..7dd3b04a1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1568,6 +1568,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "BJNP", NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_SERVICE_1KXUN, + no_master, + no_master, "1kxun", NDPI_PROTOCOL_CATEGORY_MEDIA, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* calling function for host and content matched protocols */ @@ -2621,6 +2626,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* BJNP */ init_bjnp_dissector(ndpi_struct, &a, detection_bitmask); + /* 1KXUN */ + init_kxun_dissector(ndpi_struct, &a, detection_bitmask); + /*** Put false-positive sensitive protocols at the end ***/ /* SKYPE */ diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 039f38b56..6c7db2d7d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -21,15 +21,19 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_HTTP + +/* global variables used for 1kxun protocol and iqiyi service */ +static u_int16_t kxun_counter; +static u_int16_t iqiyi_counter; + static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { - + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ @@ -97,11 +101,14 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str return; } + /** + for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp + **/ if(packet->empty_line_position_set != 0) { - // check for avi header - // for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp + u_int32_t p = packet->empty_line_position + 2; + // check for avi header NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "p = %u\n", p); if((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0 @@ -153,25 +160,21 @@ static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; else if(!strcmp(ua, "Windows NT 6.0")) ua = "Windows Vista"; - // else if(!strcmp(ua, "Windows NT 7.0")) ua = "Windows 7"; else if(!strcmp(ua, "Windows NT 6.1")) ua = "Windows 7"; else if(!strcmp(ua, "Windows NT 6.2")) ua = "Windows 8"; else if(!strcmp(ua, "Windows NT 6.3")) ua = "Windows 8.1"; - //printf("==> %s\n", ua); + // printf("==> %s\n", ua); snprintf((char*)flow->detected_os, sizeof(flow->detected_os), "%s", ua); } static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // int i = 0; - //struct ndpi_packet_struct *packet = &flow->packet; - - if((flow->l4.tcp.http_stage == 0) - || (flow->http.url && flow->http_detected)) { - /* - NOTE - If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen + + if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { + /** + NOTE + If http_dont_dissect_response = 1 dissection of HTTP response + mime types won't happen */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), @@ -179,24 +182,39 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc } } -/* - NOTE - - ndpi_parse_packet_line_info @ ndpi_main.c - is the code that parses the packet +/** + NOTE + ndpi_parse_packet_line_info is in ndpi_main.c */ static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { -#ifdef NDPI_CONTENT_MPEG + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t a; + + +#ifdef NDPI_PROTOCOL_PPSTREAM + /* PPStream */ + if(flow->l4.tcp.ppstream_stage > 0 && iqiyi_counter == 0) { + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "PPStream found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); + } + else if(iqiyi_counter > 0) { + NDPI_LOG(NDPI_SERVICE_IQIYI, ndpi_struct, NDPI_LOG_DEBUG, "iQiyi found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_SERVICE_IQIYI); + } #endif -#ifdef NDPI_CONTENT_AVI -#endif - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int8_t a; + +#ifdef NDPI_SERVICE_1KXUN + /* 1KXUN */ + if( kxun_counter > 0) { + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "1kxun found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_SERVICE_1KXUN); + } +#endif + if(!ndpi_struct->http_dont_dissect_response) { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) @@ -250,7 +268,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { - /* Format: + /** + Format: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) .... */ if(packet->user_agent_line.len > 7) { @@ -418,7 +437,7 @@ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, } /** - * this functions checks whether the packet begins with a valid http request + * Functions to check whether the packet begins with a valid http request * @param ndpi_struct * @returnvalue 0 if no valid request has been found * @returnvalue >0 indicates start of filename but not necessarily in packet limit @@ -431,7 +450,10 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload_packet_len); - /* FIRST PAYLOAD PACKET FROM CLIENT */ + /** + FIRST PAYLOAD PACKET FROM CLIENT + **/ + /* check if the packet starts with POST or GET */ if(packet->payload_packet_len >= 4 && memcmp(packet->payload, "GET ", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: GET FOUND\n"); @@ -790,6 +812,43 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } x++; } + + /* check PPStream protocol or iQiyi service + (iqiyi is deliverd by ppstream) */ + // substring in url + int no_pps = 0; + if(strstr((const char*) &packet->payload[filename_start], "iqiyi.com") != NULL) { + if(kxun_counter == 0) { + flow->l4.tcp.ppstream_stage++; + iqiyi_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); /* ***** CHECK ****** */ + return; + } + } + // additional field in http payload + x = 1; + while(packet->line[x].len != 0) { + if((memcmp(packet->line[x].ptr, "qyid", 4)) == 0 && + (memcmp(packet->line[x+1].ptr, "qypid", 5)) == 0 && + (memcmp(packet->line[x+2].ptr, "qyplatform", 10)) == 0) { + flow->l4.tcp.ppstream_stage++; + iqiyi_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); + return; + } + x++; + } + + /* Check for 1kxun packet */ + for (int a = 0; a < packet->parsed_lines; a++) { + if((memcmp(packet->line[a].ptr, "Client-Source:", 14)) == 0) { + if((memcmp(packet->line[a].ptr+15, "1kxun", 5)) == 0) { + kxun_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); + return; + } + } + } if((packet->http_url_name.len > 7) && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) { @@ -809,11 +868,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct "HTTP START Found, we will look for sub-protocols (content and host)...\n"); if(packet->host_line.ptr != NULL) { - /* - nDPI is pretty scrupoulous about HTTP so it waits until the - HTTP response is received just to check that it conforms - with the HTTP specs. However this might be a waste of time as - in 99.99% of the cases is like that. + /** + nDPI is pretty scrupoulous about HTTP so it waits until the + HTTP response is received just to check that it conforms + with the HTTP specs. However this might be a waste of time as + in 99.99% of the cases is like that. */ if(ndpi_struct->http_dont_dissect_response) { @@ -838,8 +897,9 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n", flow->l4.tcp.http_stage); - /* At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, - * otherwise check the second packet for the http request . */ + /** + At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, + otherwise check the second packet for the http request . */ if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { if(flow->http_detected) @@ -880,21 +940,20 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } - /* This is a packet in another direction. Check if we find the proper response. */ - /* We have received a response for a previously identified partial HTTP request */ + /** + This is a packet in another direction. Check if we find the proper response. + We have received a response for a previously identified partial HTTP request + */ if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { - /* - In apache if you do "GET /\n\n" the response comes without any header so we can assume that - this can be the case - */ + /* In apache if you do "GET /\n\n" the response comes without any header */ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found HTTP. (apache)\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); return; } - /* If we already detected the http request, we can add the connection and then check for the sub-protocol*/ + /* If we already detected the http request, we can add the connection and then check for the sub-protocol */ if(flow->http_detected) ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); @@ -1098,10 +1157,7 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int #endif NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_MMS); - /* #ifdef NDPI_PROTOCOL_RTSP */ - /* NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, */ - /* NDPI_PROTOCOL_RTSP); */ - /* #endif */ + NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); NDPI_BITMASK_SET(ndpi_struct->generic_http_packet_bitmask, ndpi_struct->callback_buffer[a].detection_bitmask); diff --git a/src/lib/protocols/kxun.c b/src/lib/protocols/kxun.c new file mode 100644 index 000000000..33939ed85 --- /dev/null +++ b/src/lib/protocols/kxun.c @@ -0,0 +1,98 @@ +/* + * kxun.c + * + * Copyright (C) 2016 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ +#include "ndpi_protocols.h" + +#ifdef NDPI_SERVICE_1KXUN + + +static void ndpi_int_kxun_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_kxun(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + /* 1KXUN over TCP is detected inside HTTP dissector */ + + /* check 1KXUN over UDP */ + if(packet->udp != NULL) { + /* check ipv6 */ + if(packet->iphv6 != NULL) { + if(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == 0x2ff && + packet->payload_packet_len == 329) { + if(packet->payload[0] == 0xff && + packet->payload[1] == 0x0f && + packet->payload[4] == 0xa0 && + packet->payload[5] == 0x00) { + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + } + } + else if(packet->iph != NULL) { + if(packet->iph->daddr == 0xffffffff) { + if(packet->payload_packet_len == 40 && + packet->payload[8] == 0x41 && + packet->payload[9] == 0x41 && + packet->payload[10] == 0x42) { + NDPI_LOG(NDPI_PROTOCOL_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + if(packet->payload_packet_len == 317 && + packet->payload[0] == 0xff && + packet->payload[1] == 0xff && + packet->payload[4] == 0xa0 && + packet->payload[5] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + } + } + } + /* EXCLUDE 1KXUN */ + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude 1kxun.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_1KXUN); +} + + +void init_kxun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("1kxun", ndpi_struct, detection_bitmask, *id, + NDPI_SERVICE_1KXUN, + ndpi_search_kxun, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index f3323697b..04259def9 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -24,72 +24,216 @@ #ifdef NDPI_PROTOCOL_PPSTREAM +#define PPS_PORT 17788 + + static void ndpi_int_ppstream_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_UNKNOWN); } + void ndpi_search_ppstream(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - /* check TCP Connections -> Videodata */ - if (packet->tcp != NULL) { - if (packet->payload_packet_len >= 60 && get_u_int32_t(packet->payload, 52) == 0 - && memcmp(packet->payload, "PSProtocol\x0", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "found ppstream over tcp.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; - } - } + struct ndpi_packet_struct *packet = &flow->packet; - if (packet->udp != NULL) { - if (packet->payload_packet_len > 2 && packet->payload[2] == 0x43 - && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0)))) { - flow->l4.udp.ppstream_stage++; - if (flow->l4.udp.ppstream_stage == 5) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found ppstream over udp pattern len, 43.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; - } - return; - } + /** + PPS over TCP is detected inside HTTP dissector + */ + + /* check PPS over UDP */ + if(packet->udp != NULL) { + /*** on port 17788 ***/ + if(packet->payload_packet_len > 12 && ((ntohs(packet->udp->source) == PPS_PORT) || (ntohs(packet->udp->dest) == PPS_PORT))) { + if(((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) + || (packet->payload_packet_len == get_l16(packet->payload, 0)) + || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0)))) { + /* check 43 and */ + if(packet->payload[2] == 0x43) { + if(packet->payload[5] == 0xff && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x01 && + packet->payload[8] == 0x00 && + packet->payload[9] == 0x00 && + packet->payload[10] == 0x00 && + packet->payload[11] == 0x00 && + packet->payload[12] == 0x00 && + packet->payload[13] == 0x00 && + packet->payload[14] == 0x00) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + /* check 44 */ + else if(packet->payload[2] == 0x44) { + /** b1 71 **/ + if(packet->payload[3] == 0xb1 && packet->payload[4] == 0x71) { + if(packet->payload[13] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x01 && + packet->payload[16] == 0x00) { + /* 02 03 04 05 */ + if(packet->payload[17] == 0x02 || + packet->payload[17] == 0x03 || + packet->payload[17] == 0x04 || + packet->payload[17] == 0x05) { + if(packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00) { - if (flow->l4.udp.ppstream_stage == 0 - && packet->payload_packet_len > 4 && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 - && packet->payload_packet_len - 6 == get_l16(packet->payload, - 0)))) { - - if (packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && packet->payload[4] == 0x03) { - flow->l4.udp.ppstream_stage = 7; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "need next packet I.\n"); - return; - } + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + /* ff */ + else if(packet->payload[17] == 0xff) { + if(packet->payload[18] == 0xff && + packet->payload[19] == 0xff && + packet->payload[20] == 0xff) { - if (flow->l4.udp.ppstream_stage == 7 - && packet->payload_packet_len > 4 && packet->payload[3] == 0x00 - && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0))) - && (packet->payload[2] == 0x00 && packet->payload[4] == 0x03)) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found ppstream over udp with pattern Vb.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + } + } + /** 73 17 **/ + else if(packet->payload[3] == 0x73 && packet->payload[4] == 0x17) { + if(packet->payload[5] == 0x00 && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x00 && + packet->payload[8] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + /** 74 71 **/ + else if(packet->payload[3] == 0x74 && packet->payload[4] == 0x71 && packet->payload_packet_len == 113) { + /* check "PPStream" string in hex */ + if(packet->payload[94] == 0x50 && + packet->payload[95] == 0x50 && + packet->payload[96] == 0x53 && + packet->payload[97] == 0x74 && + packet->payload[98] == 0x72 && + packet->payload[99] == 0x65 && + packet->payload[100] == 0x61 && + packet->payload[101] == 0x6d) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + } + /** check 55 (1) **/ + else if(packet->payload[2] == 0x55 && (packet->payload[13] == 0x1b && + packet->payload[14] == 0xa0 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00 )) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + /** check 55 (2) **/ + else if(packet->payload[2] == 0x55 && packet->payload[1] == 0x00 && + (packet->payload[5] == 0x00 && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x00 && + packet->payload[8] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00 )) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + } + /* No port detection */ + if(packet->payload_packet_len > 17) { + /* 80 */ + if(packet->payload[1] == 0x80 || packet->payload[1] == 0x84 ) { + if(packet->payload[3] == packet->payload[4]) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "exclude ppstream.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPSTREAM); + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + /* 53 */ + else if(packet->payload[1] == 0x53 && packet->payload[3] == 0x00 && + (packet->payload[0] == 0x08 || packet->payload[0] == 0x0c)) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over udp.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + } + /* EXCLUDE PPS */ + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "exclude PPStream.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPSTREAM); + } } @@ -101,7 +245,7 @@ void init_ppstream_dissector(struct ndpi_detection_module_struct *ndpi_struct, u NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - + *id += 1; } diff --git a/tests/pcap/1kxun.pcap b/tests/pcap/1kxun.pcap Binary files differnew file mode 100644 index 000000000..708f68fdd --- /dev/null +++ b/tests/pcap/1kxun.pcap diff --git a/tests/pcap/pps.pcap b/tests/pcap/pps.pcap Binary files differnew file mode 100644 index 000000000..2c18c1867 --- /dev/null +++ b/tests/pcap/pps.pcap diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out new file mode 100644 index 000000000..d93b6a8cb --- /dev/null +++ b/tests/result/1kxun.pcap.out @@ -0,0 +1,147 @@ +Unknown 9 2428 7 +DNS 2 378 1 +HTTP 8 500 3 +MDNS 1 82 1 +NTP 1 90 1 +NetBIOS 31 3589 8 +SSDP 143 36951 13 +DHCP 24 8208 5 +QQ 28 5216 2 +SSL 124 28754 9 +DHCPV6 10 980 3 +LLMNR 89 6799 47 +Lync 2 132 1 +1kxun 967 535718 28 + + 1 TCP 192.168.5.16:53406 <-> 119.235.235.84:443 [proto: 91/SSL][23 pkts/7434 bytes] + 2 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 218/1kxun][419 pkts/183693 bytes][Host: 183.131.48.144] + 3 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:53938 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] + 4 UDP [fe80::9bd:81dd:2fdc:5750]:5355 <-> [ff02::1:3]:61548 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] + 5 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:58468 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] + 6 UDP 192.168.2.186:32768 <-> 255.255.255.255:1947 [proto: 218/1kxun][2 pkts/164 bytes] + 7 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3642 bytes][SSL client: 1] + 8 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3638 bytes][SSL client: 1] + 9 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][17 pkts/3518 bytes][SSL client: 1] + 10 UDP [fe80::9bd:81dd:2fdc:5750]:5355 <-> [ff02::1:3]:64568 [proto: 154/LLMNR][2 pkts/190 bytes][Host: caesar-thinkpad] + 11 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:61172 [proto: 154/LLMNR][2 pkts/174 bytes][Host: sonusav] + 12 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 218/1kxun][14 pkts/9498 bytes][Host: dl-obs.official.line.naver.jp] + 13 UDP [fe80::4568:efbc:40b1:1346]:5355 <-> [ff02::1:3]:50194 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] + 14 UDP 168.95.1.1:53 <-> 192.168.5.16:63372 [proto: 5/DNS][2 pkts/378 bytes][Host: dl-obs.official.line.naver.jp] + 15 UDP 192.168.5.45:59461 <-> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] + 16 UDP 192.168.5.45:59789 <-> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] + 17 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 218/1kxun][13 pkts/1452 bytes][Host: 218.244.135.170:9099] + 18 UDP 192.168.5.48:49701 <-> 239.255.255.250:1900 [proto: 12/SSDP][7 pkts/1253 bytes] + 19 UDP [fe80::4568:efbc:40b1:1346]:5355 <-> [ff02::1:3]:57148 [proto: 154/LLMNR][2 pkts/176 bytes][Host: kevin-pc] + 20 UDP 192.168.3.95:51451 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] + 21 UDP 192.168.5.44:51389 <-> 239.255.255.250:1900 [proto: 12/SSDP][13 pkts/2275 bytes] + 22 UDP 192.168.119.1:67 <-> 192.168.5.16:68 [proto: 18/DHCP][4 pkts/1368 bytes] + 23 UDP 192.168.5.41:55593 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes][Host: kevin-pc] + 24 UDP 192.168.101.33:55485 <-> 239.255.255.250:1900 [proto: 12/SSDP][10 pkts/1750 bytes] + 25 UDP 192.168.3.236:56043 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes][Host: isatap] + 26 UDP 8.8.8.8:53 <-> 192.168.115.8:51024 [proto: 5.218/DNS.1kxun][3 pkts/272 bytes][Host: jp.kankan.1kxun.mobi] + 27 UDP 192.168.5.57:55809 <-> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/2450 bytes] + 28 UDP 192.168.5.50:57143 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes][Host: charming-pc] + 29 UDP 192.168.5.37:57325 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes] + 30 UDP 192.168.3.95:58779 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] + 31 UDP 192.168.5.44:59571 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: jason-pc] + 32 UDP 8.8.8.8:53 <-> 192.168.115.8:54420 [proto: 5.48/DNS.QQ][3 pkts/266 bytes][Host: vv.video.qq.com] + 33 UDP 192.168.5.48:59797 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes][Host: kasper-mac] + 34 UDP 192.168.5.47:60267 <-> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1432 bytes] + 35 UDP 192.168.10.110:60480 <-> 255.255.255.255:62976 [proto: 218/1kxun][5 pkts/1795 bytes] + 36 UDP 192.168.5.47:61603 <-> 224.0.0.252:5355 [proto: 173/Lync][2 pkts/132 bytes] + 37 UDP 192.168.3.236:62069 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: wangs-ltw] + 38 UDP 192.168.125.30:62976 <-> 255.255.255.255:62976 [proto: 218/1kxun][2 pkts/718 bytes] + 39 UDP 192.168.10.7:62976 <-> 255.255.255.255:62976 [proto: 218/1kxun][2 pkts/718 bytes] + 40 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:57143 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] + 41 UDP 192.168.140.140:62976 <-> 255.255.255.255:62976 [proto: 218/1kxun][1 pkts/359 bytes] + 42 UDP 8.8.8.8:53 <-> 192.168.115.8:60724 [proto: 5.218/DNS.1kxun][3 pkts/283 bytes][Host: pic.1kxun.com] + 43 UDP [fe80::edf5:240a:c8c0:8312]:5355 <-> [ff02::1:3]:61603 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] + 44 UDP 192.168.5.49:1900 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/8473 bytes] + 45 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 218/1kxun][33 pkts/11721 bytes][Host: 42.120.51.152:8080] + 46 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 218/1kxun][12 pkts/1982 bytes][Host: api.magicansoft.com] + 47 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:51451 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + 48 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][69 pkts/63429 bytes][Host: pic.1kxun.com] + 49 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][65 pkts/48989 bytes][Host: pic.1kxun.com] + 50 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][58 pkts/45577 bytes][Host: pic.1kxun.com] + 51 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7.218/HTTP.1kxun][50 pkts/35747 bytes][Host: jp.kankan.1kxun.mobi] + 52 UDP [fe80::f65c:89ff:fe89:e607]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][1 pkts/98 bytes] + 53 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:58779 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + 54 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes] + 55 UDP 59.120.208.218:50151 <-> 255.255.255.255:1947 [proto: 218/1kxun][2 pkts/164 bytes] + 56 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:49735 [proto: 154/LLMNR][2 pkts/178 bytes][Host: wangs-ltw] + 57 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 218/1kxun][14 pkts/2295 bytes][Host: 183.131.48.145] + 58 UDP 168.95.1.1:53 <-> 192.168.115.8:52723 [proto: 5.218/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] + 59 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][25 pkts/4950 bytes][Host: vv.video.qq.com] + 60 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/SSL][6 pkts/352 bytes] + 61 UDP [fe80::9bd:81dd:2fdc:5750]:1900 <-> [ff02::c]:1900 [proto: 12/SSDP][16 pkts/8921 bytes] + 62 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][2 pkts/120 bytes] + 63 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][19 pkts/3210 bytes][SSL client: 1] + 64 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 218/1kxun][14 pkts/9158 bytes][Host: dl-obs.official.line.naver.jp] + 65 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7.218/HTTP.1kxun][14 pkts/2386 bytes][Host: kankan.1kxun.com] + 66 UDP [fe80::5d92:62a8:ebde:1319]:5355 <-> [ff02::1:3]:63659 [proto: 154/LLMNR][2 pkts/172 bytes][Host: isatap] + 67 UDP [fe80::406:55a8:6453:25dd]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][5 pkts/490 bytes] + 68 UDP 192.168.5.50:49766 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes][Host: charming-pc] + 69 UDP 192.168.5.50:50030 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes][Host: charming-pc] + 70 UDP 192.168.115.8:51458 <-> 224.0.0.252:5355 [proto: 154/LLMNR][4 pkts/256 bytes][Host: wpad] + 71 UDP 192.168.3.236:51714 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes][Host: isatap] + 72 UDP 192.168.5.49:51704 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes] + 73 UDP 192.168.115.8:137 <-> 192.168.255.255:137 [proto: 10/NetBIOS][6 pkts/552 bytes] + 74 UDP 192.168.5.67:138 <-> 192.168.255.255:138 [proto: 10/NetBIOS][2 pkts/549 bytes] + 75 UDP 192.168.5.45:137 <-> 192.168.255.255:137 [proto: 10/NetBIOS][2 pkts/184 bytes] + 76 UDP 192.168.5.45:138 <-> 192.168.255.255:138 [proto: 10/NetBIOS][3 pkts/648 bytes] + 77 UDP 192.168.3.236:137 <-> 192.168.255.255:137 [proto: 10/NetBIOS][13 pkts/1196 bytes] + 78 UDP 192.168.0.104:137 <-> 192.168.255.255:137 [proto: 10/NetBIOS][3 pkts/276 bytes] + 79 UDP 192.168.5.47:53962 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes][Host: ro_x1c] + 80 UDP 192.168.5.41:54470 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: kevin-pc] + 81 UDP 192.168.5.37:54506 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: notebook] + 82 UDP 192.168.3.95:54888 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes][Host: 小佛專機] + 83 UDP 192.168.5.41:55312 <-> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1400 bytes] + 84 UDP 192.168.5.9:55484 <-> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes] + 85 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:49766 [proto: 154/LLMNR][2 pkts/182 bytes][Host: charming-pc] + 86 UDP 192.168.5.37:56366 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: notebook] + 87 UDP 8.8.8.8:53 <-> 192.168.115.8:52723 [proto: 5.218/DNS.1kxun][3 pkts/260 bytes][Host: kankan.1kxun.com] + 88 UDP 192.168.101.33:58456 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] + 89 UDP 192.168.5.9:58456 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] + 90 UDP 192.168.5.44:58702 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: jason-pc] + 91 UDP 192.168.5.44:59062 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes][Host: jason-pc] + 92 UDP [fe80::edf5:240a:c8c0:8312]:5355 <-> [ff02::1:3]:53962 [proto: 154/LLMNR][2 pkts/172 bytes][Host: ro_x1c] + 93 UDP 192.168.3.236:59730 <-> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/67 bytes][Host: sonusav] + 94 UDP 192.168.3.95:59468 <-> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes] + 95 UDP 192.168.5.49:61548 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes][Host: caesar-thinkpad] + 96 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91/SSL][9 pkts/4347 bytes] + 97 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91/SSL][10 pkts/2493 bytes] + 98 UDP 192.168.5.50:62756 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes][Host: charming-pc] + 99 UDP 192.168.101.33:62822 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] + 100 UDP 192.168.5.9:62822 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: joanna-pc] + 101 UDP 192.168.5.57:64428 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: usher-pc] + 102 UDP 192.168.5.49:64568 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes][Host: caesar-thinkpad] + 103 UDP 192.168.5.50:64674 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes] + 104 UDP 192.168.5.57:65150 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes][Host: usher-pc] + 105 UDP 192.168.3.236:65496 <-> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes][Host: wangs-ltw] + 106 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7/HTTP][3 pkts/176 bytes] + 107 UDP 192.168.119.1:67 <-> 255.255.255.255:68 [proto: 18/DHCP][14 pkts/4788 bytes] + 108 UDP 192.168.5.9:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes] + 109 UDP 192.168.5.41:68 <-> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes] + 110 UDP [fe80::beee:7bff:fe0c:b3de]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][4 pkts/392 bytes] + 111 UDP [fe80::e034:7be:d8f9:6197]:5355 <-> [ff02::1:3]:62756 [proto: 154/LLMNR][1 pkts/91 bytes][Host: charming-pc] + 112 UDP 59.120.208.212:32768 <-> 255.255.255.255:1947 [proto: 218/1kxun][1 pkts/82 bytes] + 113 UDP 192.168.5.64:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/82 bytes] + 114 TCP 192.168.5.16:53605 <-> 68.233.253.133:80 [proto: 7/HTTP][2 pkts/126 bytes] + 115 TCP 192.168.5.16:53613 <-> 68.233.253.133:80 [proto: 7/HTTP][3 pkts/198 bytes] + 116 UDP 192.168.5.16:123 <-> 17.253.26.125:123 [proto: 9/NTP][1 pkts/90 bytes] + 117 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.218/HTTP.1kxun][14 pkts/2858 bytes][Host: jp.kankan.1kxun.mobi] + 118 TCP 192.168.115.8:49599 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][43 pkts/31191 bytes][Host: pic.1kxun.com] + 119 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][61 pkts/51677 bytes][Host: pic.1kxun.com] + 120 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7.218/HTTP.1kxun][34 pkts/25580 bytes][Host: pic.1kxun.com] + 121 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.218/HTTP.1kxun][13 pkts/3410 bytes][Host: jp.kankan.1kxun.mobi] + 122 UDP [fe80::e98f:bae2:19f7:6b0f]:5355 <-> [ff02::1:3]:54888 [proto: 154/LLMNR][2 pkts/184 bytes][Host: 小佛專機] + + +Undetected flows: + 1 UDP 192.168.0.100:50925 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes] + 2 UDP [2001:b030:214:100:c2a0:bbff:fe73:eb47]:62976 <-> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes] + 3 UDP [2001:b020:6::c2a0:bbff:fe73:eb57]:62976 <-> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes] + 4 UDP 192.168.119.1:56861 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes] + 5 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 <-> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes] + 6 UDP [fe80::4e5e:cff:feea:365]:5678 <-> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes] + 7 UDP 192.168.119.2:43786 <-> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index 40ed412bb..89cf5fd8f 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -5,10 +5,10 @@ QUIC 3 502 1 ntop 80 36401 4 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][2 pkts/172 bytes] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91.219/SSL.ntop][19 pkts/7014 bytes][SSL client: www.ntop.org] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37488 [proto: 91.219/SSL.ntop][17 pkts/6842 bytes][SSL client: www.ntop.org] - 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37494 [proto: 91.219/SSL.ntop][18 pkts/6928 bytes][SSL client: www.ntop.org] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37506 [proto: 91.219/SSL.ntop][26 pkts/15617 bytes][SSL client: www.ntop.org] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91.221/SSL.ntop][19 pkts/7014 bytes][SSL client: www.ntop.org] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37488 [proto: 91.221/SSL.ntop][17 pkts/6842 bytes][SSL client: www.ntop.org] + 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37494 [proto: 91.221/SSL.ntop][18 pkts/6928 bytes][SSL client: www.ntop.org] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37506 [proto: 91.221/SSL.ntop][26 pkts/15617 bytes][SSL client: www.ntop.org] 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4006:804::200e]:40526 [proto: 91/SSL][2 pkts/172 bytes] 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:41776 [proto: 91/SSL][14 pkts/2213 bytes] 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a02:26f0:ad:197::236]:53132 [proto: 91.119/SSL.Facebook][12 pkts/5187 bytes][SSL client: s-static.ak.facebook.com] diff --git a/tests/result/mpeg.pcap.out b/tests/result/mpeg.pcap.out index eeaad5bdc..2dc94d97d 100644 --- a/tests/result/mpeg.pcap.out +++ b/tests/result/mpeg.pcap.out @@ -1,3 +1,3 @@ ntop 19 10643 1 - 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 7.219/HTTP.ntop][19 pkts/10643 bytes][Host: luca.ntop.org] + 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 7.221/HTTP.ntop][19 pkts/10643 bytes][Host: luca.ntop.org] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out new file mode 100644 index 000000000..f09d8b09b --- /dev/null +++ b/tests/result/pps.pcap.out @@ -0,0 +1,117 @@ +Unknown 990 378832 34 +HTTP 12 4427 6 +SSDP 62 17013 9 +Google 2 1093 1 +UPnP 1 130 1 +iQIYI 1490 1845116 56 + + 1 TCP 192.168.115.8:50443 <-> 117.79.81.135:80 [proto: 7/HTTP][1 pkts/347 bytes] + 2 TCP 192.168.115.8:50490 <-> 119.188.13.188:80 [proto: 7.219/HTTP.iQIYI][2 pkts/836 bytes][Host: pdata.video.qiyi.com] + 3 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 219/iQIYI][3 pkts/1305 bytes][Host: click.hm.baidu.com] + 4 TCP 192.168.115.8:50775 <-> 123.125.111.70:80 [proto: 7.219/HTTP.iQIYI][2 pkts/674 bytes][Host: nl.rcd.iqiyi.com] + 5 TCP 192.168.5.15:65125 <-> 68.233.253.133:80 [proto: 7/HTTP][1 pkts/66 bytes] + 6 TCP 192.168.5.15:65127 <-> 68.233.253.133:80 [proto: 219/iQIYI][2 pkts/713 bytes][Host: api.magicansoft.com] + 7 TCP 192.168.115.8:50462 <-> 202.108.14.236:80 [proto: 7/HTTP][2 pkts/108 bytes] + 8 TCP 192.168.115.8:50470 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/618 bytes][Host: msg.iqiyi.com] + 9 TCP 192.168.115.8:50474 <-> 202.108.14.221:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1294 bytes][Host: msg.iqiyi.com] + 10 TCP 192.168.115.8:50484 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/821 bytes][Host: msg.71.am] + 11 TCP 192.168.115.8:50502 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1146 bytes][Host: msg.71.am] + 12 TCP 192.168.115.8:50504 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][1 pkts/946 bytes][Host: msg.71.am] + 13 TCP 192.168.115.8:50506 <-> 202.108.14.219:80 [proto: 7/HTTP][1 pkts/199 bytes] + 14 TCP 192.168.115.8:50466 <-> 203.66.182.24:80 [proto: 7.126/HTTP.Google][2 pkts/1093 bytes][Host: clients1.google.com] + 15 TCP 192.168.115.8:50774 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/786 bytes][Host: msg.71.am] + 16 UDP 192.168.5.63:39383 <-> 239.255.255.250:1900 [proto: 153/UPnP][1 pkts/130 bytes] + 17 TCP 192.168.115.8:50488 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][3 pkts/2346 bytes][Host: meta.video.qiyi.com] + 18 TCP 192.168.115.8:50494 <-> 223.26.106.66:80 [proto: 219/iQIYI][3 pkts/1330 bytes][Host: 223.26.106.66] + 19 TCP 192.168.115.8:50508 <-> 223.26.106.19:80 [proto: 7.219/HTTP.iQIYI][2 pkts/618 bytes][Host: static.qiyi.com] + 20 TCP 192.168.115.8:50766 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][2 pkts/691 bytes][Host: static.qiyi.com] + 21 TCP 192.168.115.8:50768 <-> 223.26.106.19:80 [proto: 7.219/HTTP.iQIYI][2 pkts/724 bytes][Host: static.qiyi.com] + 22 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][529 pkts/692961 bytes][Host: preimage1.qiyipic.com] + 23 TCP 192.168.115.8:50780 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][542 pkts/710385 bytes][Host: preimage1.qiyipic.com] + 24 UDP 192.168.115.1:50945 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1539 bytes] + 25 UDP 192.168.5.50:52529 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1074 bytes] + 26 TCP 192.168.115.8:50500 <-> 23.41.133.163:80 [proto: 219/iQIYI][2 pkts/1128 bytes][Host: s1.symcb.com] + 27 UDP 192.168.5.38:58897 <-> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes] + 28 TCP 192.168.115.8:50765 <-> 36.110.220.15:80 [proto: 7.219/HTTP.iQIYI][2 pkts/463 bytes][Host: msg.video.qiyi.com] + 29 UDP 192.168.5.28:60023 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes] + 30 UDP 192.168.5.38:1900 <-> 239.255.255.250:1900 [proto: 12/SSDP][18 pkts/9327 bytes] + 31 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7.219/HTTP.iQIYI][5 pkts/4553 bytes][Host: cache.video.iqiyi.com] + 32 TCP 192.168.115.8:50496 <-> 101.227.200.11:80 [proto: 7.219/HTTP.iQIYI][3 pkts/1861 bytes][Host: api.cupid.iqiyi.com] + 33 TCP 192.168.115.8:50509 <-> 106.38.219.107:80 [proto: 7.219/HTTP.iQIYI][3 pkts/720 bytes][Host: iplocation.geo.qiyi.com] + 34 TCP 192.168.115.8:50499 <-> 111.206.22.76:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1296 bytes][Host: msg.iqiyi.com] + 35 TCP 192.168.115.8:50777 <-> 111.206.22.77:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1380 bytes][Host: msg.iqiyi.com] + 36 TCP 192.168.115.8:50779 <-> 111.206.22.77:80 [proto: 7.219/HTTP.iQIYI][3 pkts/1632 bytes][Host: msg.iqiyi.com] + 37 TCP 192.168.115.8:50489 <-> 119.188.13.188:80 [proto: 7.219/HTTP.iQIYI][2 pkts/683 bytes][Host: pdata.video.qiyi.com] + 38 TCP 192.168.115.8:50464 <-> 123.125.112.49:80 [proto: 219/iQIYI][2 pkts/1451 bytes][Host: click.hm.baidu.com] + 39 TCP 192.168.115.8:50772 <-> 123.125.111.70:80 [proto: 7.219/HTTP.iQIYI][2 pkts/674 bytes][Host: nl.rcd.iqiyi.com] + 40 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 219/iQIYI][2 pkts/721 bytes][Host: api.magicansoft.com] + 41 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 219/iQIYI][2 pkts/727 bytes][Host: cmc.tanx.com] + 42 TCP 192.168.115.8:50295 <-> 202.108.14.219:80 [proto: 7/HTTP][2 pkts/398 bytes] + 43 TCP 192.168.115.8:50467 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/828 bytes][Host: msg.71.am] + 44 TCP 192.168.115.8:50469 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/772 bytes][Host: msg.71.am] + 45 TCP 192.168.115.8:50471 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][4 pkts/2296 bytes][Host: msg.71.am] + 46 TCP 192.168.115.8:50475 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1140 bytes][Host: msg.71.am] + 47 TCP 192.168.115.8:50473 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1143 bytes][Host: msg.71.am] + 48 TCP 192.168.115.8:50477 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/813 bytes][Host: msg.71.am] + 49 TCP 192.168.115.8:50483 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/616 bytes][Host: msg.71.am] + 50 TCP 192.168.115.8:50485 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1146 bytes][Host: msg.71.am] + 51 TCP 192.168.115.8:50487 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][1 pkts/683 bytes][Host: msg.71.am] + 52 TCP 192.168.115.8:50493 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1145 bytes][Host: msg.71.am] + 53 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][6 pkts/3441 bytes][Host: msg.71.am] + 54 TCP 192.168.115.8:50501 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][3 pkts/2092 bytes][Host: msg.71.am] + 55 TCP 192.168.115.8:50503 <-> 202.108.14.219:80 [proto: 7.219/HTTP.iQIYI][2 pkts/882 bytes][Host: msg.71.am] + 56 TCP 192.168.115.8:50771 <-> 202.108.14.236:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1145 bytes][Host: msg.71.am] + 57 TCP 192.168.115.8:50773 <-> 202.108.14.221:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1118 bytes][Host: msg.71.am] + 58 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 219/iQIYI][27 pkts/34298 bytes][Host: 223.26.106.66] + 59 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7.219/HTTP.iQIYI][246 pkts/320033 bytes][Host: static.qiyi.com] + 60 TCP 192.168.115.8:50507 <-> 223.26.106.19:80 [proto: 7.219/HTTP.iQIYI][2 pkts/1275 bytes][Host: static.qiyi.com] + 61 TCP 192.168.115.8:50767 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][8 pkts/2912 bytes][Host: static.qiyi.com] + 62 TCP 192.168.115.8:50781 <-> 223.26.106.20:80 [proto: 7.219/HTTP.iQIYI][1 pkts/303 bytes][Host: preimage1.qiyipic.com] + 63 UDP 192.168.5.41:50374 <-> 239.255.255.250:1900 [proto: 12/SSDP][5 pkts/875 bytes] + 64 TCP 192.168.115.8:50498 <-> 36.110.220.15:80 [proto: 7.219/HTTP.iQIYI][2 pkts/893 bytes][Host: msg.video.qiyi.com] + 65 UDP 192.168.5.57:59648 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes] + 66 UDP 192.168.5.63:60976 <-> 239.255.255.250:1900 [proto: 12/SSDP][1 pkts/165 bytes] + 67 UDP 192.168.5.48:63930 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/358 bytes] + 68 TCP 192.168.115.8:49174 <-> 77.234.41.35:80 [proto: 7/HTTP][5 pkts/3309 bytes] + 69 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 219/iQIYI][23 pkts/25892 bytes][Host: bcu.ff.avast.com] + 70 TCP 192.168.115.8:50463 <-> 101.227.200.11:80 [proto: 7.219/HTTP.iQIYI][3 pkts/1861 bytes][Host: api.cupid.iqiyi.com] + 71 TCP 192.168.115.8:50769 <-> 101.227.200.11:80 [proto: 7.219/HTTP.iQIYI][2 pkts/895 bytes][Host: api.cupid.iqiyi.com] + 72 TCP 111.206.13.3:80 <-> 192.168.115.8:50492 [proto: 7.219/HTTP.iQIYI][3 pkts/1423 bytes][Host: pdata.video.qiyi.com] + 73 TCP 192.168.115.8:50776 <-> 111.206.22.77:80 [proto: 7.219/HTTP.iQIYI][2 pkts/588 bytes][Host: msg.iqiyi.com] + + +Undetected flows: + 1 UDP 192.168.115.8:22793 <-> 222.26.74.190:1037 [proto: 0/Unknown][2 pkts/132 bytes] + 2 UDP 192.168.115.8:22793 <-> 115.157.62.243:29006 [proto: 0/Unknown][2 pkts/132 bytes] + 3 UDP 192.168.115.8:22793 <-> 183.228.182.44:13913 [proto: 0/Unknown][3 pkts/257 bytes] + 4 UDP 192.168.115.8:22793 <-> 222.197.138.12:6956 [proto: 0/Unknown][40 pkts/12412 bytes] + 5 UDP 192.168.115.8:22793 <-> 222.26.193.119:7133 [proto: 0/Unknown][2 pkts/132 bytes] + 6 UDP 192.168.115.8:22793 <-> 183.61.167.82:17788 [proto: 0/Unknown][2 pkts/188 bytes] + 7 UDP 192.168.115.8:22793 <-> 183.61.167.104:17788 [proto: 0/Unknown][2 pkts/260 bytes] + 8 UDP 192.168.115.8:22793 <-> 202.198.7.89:16039 [proto: 0/Unknown][5 pkts/3481 bytes] + 9 UDP 192.168.115.8:22793 <-> 1.175.128.104:5185 [proto: 0/Unknown][2 pkts/132 bytes] + 10 UDP 192.168.115.8:22793 <-> 218.61.39.103:17788 [proto: 0/Unknown][2 pkts/300 bytes] + 11 UDP 192.168.115.8:22793 <-> 218.61.39.87:17788 [proto: 0/Unknown][2 pkts/260 bytes] + 12 UDP 192.168.115.8:22793 <-> 1.169.136.116:17951 [proto: 0/Unknown][4 pkts/512 bytes] + 13 UDP 192.168.115.8:22793 <-> 210.47.12.19:33738 [proto: 0/Unknown][2 pkts/132 bytes] + 14 UDP 192.168.115.8:22793 <-> 210.47.12.20:33738 [proto: 0/Unknown][2 pkts/132 bytes] + 15 UDP 192.168.115.8:22793 <-> 220.130.154.23:35941 [proto: 0/Unknown][2 pkts/174 bytes] + 16 UDP 192.168.115.8:22793 <-> 61.227.170.88:20227 [proto: 0/Unknown][2 pkts/132 bytes] + 17 UDP 192.168.115.8:22793 <-> 114.42.0.158:7716 [proto: 0/Unknown][338 pkts/138754 bytes] + 18 UDP 192.168.115.8:22793 <-> 119.188.133.182:17788 [proto: 0/Unknown][2 pkts/260 bytes] + 19 UDP 192.168.115.8:22793 <-> 219.228.107.156:1250 [proto: 0/Unknown][45 pkts/14863 bytes] + 20 UDP 192.168.115.8:22793 <-> 111.249.53.196:32443 [proto: 0/Unknown][2 pkts/158 bytes] + 21 UDP 192.168.115.8:22793 <-> 210.44.232.243:21044 [proto: 0/Unknown][2 pkts/132 bytes] + 22 UDP 192.168.115.8:22793 <-> 36.237.154.69:4316 [proto: 0/Unknown][2 pkts/132 bytes] + 23 UDP 192.168.115.8:22793 <-> 202.112.31.89:29072 [proto: 0/Unknown][2 pkts/132 bytes] + 24 UDP 210.44.171.1:29702 <-> 192.168.115.8:22793 [proto: 0/Unknown][2 pkts/132 bytes] + 25 UDP 192.168.115.8:22793 <-> 1.173.5.226:22636 [proto: 0/Unknown][400 pkts/165246 bytes] + 26 UDP 192.168.115.8:22793 <-> 61.223.204.67:11102 [proto: 0/Unknown][2 pkts/132 bytes] + 27 UDP 192.168.115.8:22793 <-> 36.233.39.81:18590 [proto: 0/Unknown][2 pkts/132 bytes] + 28 UDP 192.168.115.8:22793 <-> 111.250.102.66:1107 [proto: 0/Unknown][2 pkts/132 bytes] + 29 UDP 192.168.115.8:22793 <-> 114.37.142.173:1074 [proto: 0/Unknown][2 pkts/132 bytes] + 30 UDP 192.168.115.8:22793 <-> 118.171.15.56:5544 [proto: 0/Unknown][101 pkts/38819 bytes] + 31 UDP 192.168.115.8:22793 <-> 111.117.101.81:10162 [proto: 0/Unknown][2 pkts/132 bytes] + 32 UDP 192.168.115.8:22793 <-> 114.41.144.153:10492 [proto: 0/Unknown][4 pkts/512 bytes] + 33 UDP 192.168.115.8:22793 <-> 121.248.133.93:12757 [proto: 0/Unknown][2 pkts/132 bytes] + 34 UDP 192.168.115.8:22793 <-> 114.47.91.129:22576 [proto: 0/Unknown][2 pkts/132 bytes] |